Managing your dependency security

You can create your own auto-triage rules to control which alerts are dismissed or snoozed, and which alerts you want Dependabot to open pull requests for.

You can use GitHub presets, which are rules curated by GitHub, to auto-dismiss low impact development alerts for npm dependencies.

Learn how to customize Dependabot pull requests for security updates to align with your project's security priorities and workflows.

Learn how to configure your dependabot.yml file so that Dependabot automatically updates the packages you specify, in the way you define.

You can use the dependency review action to catch vulnerabilities before they are added to your project.

By including metadata in your pom.xml file, you can enhance the information available to users in Dependabot pull requests to update your Java packages.

Optimize how you receive notifications about Dependabot alerts.

You can configure Dependabot to access dependencies stored in private registries. You can store authentication information, like passwords and access tokens, as encrypted secrets and then reference these in the Dependabot configuration file.

Examples of how you can configure Dependabot to only access private registries by removing calls to public registries.

You manage pull requests raised by Dependabot in much the same way as other pull requests, but there are some extra options.

You can view the dependencies that Dependabot monitors for updates.

This article contains detailed information about configuring private registries, as well as commands you can run from the command line to configure your package managers locally.